topic Rex expression built with field extractor not working? in Splunk Search https://community.splunk.com/t5/Splunk-Search/Rex-expression-built-with-field-extractor-not-working/m-p/712384#M240330 <P>I have a reliable base query to find events containing the information I want.</P><P>I built a rex using the field extractor, but applying the rex expression in a search does not yield any results, <EM>the values(gts_percent) column is always blank</EM></P><P><BR />Sample query:</P><PRE>index="june_analytics_logs_prod" $serial$ log_level=info message=*hardware_controller*|<BR />rex field=message "(?=[^G]*(?:GTS weight:|G.*GTS weight:))^(?:[^\.\n]*\.){7}\d+\w+,\s+\w+:\s+(?P&lt;gts_percent&gt;\d+)"|<BR />convert rmunit(gts_percent)|<BR />chart values(gts_percent) by _time</PRE><P>&nbsp;</P><P>Sample raw_ result :</P><PRE><SPAN>{"</SPAN><SPAN class="">bootcount</SPAN><SPAN>"</SPAN><SPAN class="">:8</SPAN><SPAN>,"</SPAN><SPAN class="">device_id</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">XXX</SPAN><SPAN>","</SPAN><SPAN class="">environment</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">prod_walker</SPAN><SPAN>","</SPAN><SPAN class="">event_source</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">appliance</SPAN><SPAN>","</SPAN><SPAN class="">event_type</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">GENERIC</SPAN><SPAN>","</SPAN><SPAN class="">local_time</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">2025-02-20T00:47:48.124-06:00</SPAN><SPAN>",<BR />"</SPAN><SPAN class="">location</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>{"</SPAN><SPAN class="">city</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">XX</SPAN><SPAN>","</SPAN><SPAN class="">country</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">XX</SPAN><SPAN>","</SPAN><SPAN class="">latitude</SPAN><SPAN>"</SPAN><SPAN class="">:XXX</SPAN><SPAN>,"</SPAN><SPAN class="">longitude</SPAN><SPAN>"</SPAN><SPAN class="">:XXX</SPAN><SPAN>,"</SPAN><SPAN class="">state</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">XXX</SPAN><SPAN>"},<BR />"</SPAN><SPAN class="">log_level</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">info</SPAN><SPAN>","</SPAN><SPAN class="">message</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">martini::hardware_controller:</SPAN> <SPAN class="">GTS</SPAN> <SPAN class="">weight:</SPAN> <SPAN class="">17.05kg</SPAN><SPAN>, </SPAN><SPAN class="">tare</SPAN> <SPAN class="">weight:</SPAN> <SPAN class="">8.1kg</SPAN><SPAN>, </SPAN><SPAN class="">net</SPAN> <SPAN class="">weight:</SPAN> <SPAN class="">8.95kg</SPAN><SPAN>, </SPAN><SPAN class="">fill</SPAN> <SPAN class="">weight:</SPAN> <SPAN class="">6.8kg</SPAN><SPAN>, </SPAN><SPAN class="">percent:</SPAN> <SPAN class=""><STRONG>100%</STRONG>\u0000</SPAN><SPAN>",<BR />"</SPAN><SPAN class="">model_number</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">XXX</SPAN><SPAN>","</SPAN><SPAN class="">sequence</SPAN><SPAN>"</SPAN><SPAN class="">:403659</SPAN><SPAN>,"</SPAN><SPAN class="">serial</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class=""><SPAN class="">XXX</SPAN></SPAN><SPAN>","</SPAN><SPAN class="">software_version</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">2.3.0.276</SPAN><SPAN>","</SPAN><SPAN class="">ticks</SPAN><SPAN>"</SPAN><SPAN class="">:0</SPAN><SPAN>,"</SPAN><SPAN class="">timestamp</SPAN><SPAN>"</SPAN><SPAN class="">:1740034068</SPAN><SPAN>,"</SPAN><SPAN class="">timestamp_ms</SPAN><SPAN>"</SPAN><SPAN class="">:1740034068124}</SPAN></PRE><P>&nbsp;</P><P>I am trying to extract the bold value in the raw, Where is my rex messing up?</P> Mon, 24 Feb 2025 18:13:05 GMT nkavouris 2025-02-24T18:13:05Z Rex expression built with field extractor not working? https://community.splunk.com/t5/Splunk-Search/Rex-expression-built-with-field-extractor-not-working/m-p/712384#M240330 <P>I have a reliable base query to find events containing the information I want.</P><P>I built a rex using the field extractor, but applying the rex expression in a search does not yield any results, <EM>the values(gts_percent) column is always blank</EM></P><P><BR />Sample query:</P><PRE>index="june_analytics_logs_prod" $serial$ log_level=info message=*hardware_controller*|<BR />rex field=message "(?=[^G]*(?:GTS weight:|G.*GTS weight:))^(?:[^\.\n]*\.){7}\d+\w+,\s+\w+:\s+(?P&lt;gts_percent&gt;\d+)"|<BR />convert rmunit(gts_percent)|<BR />chart values(gts_percent) by _time</PRE><P>&nbsp;</P><P>Sample raw_ result :</P><PRE><SPAN>{"</SPAN><SPAN class="">bootcount</SPAN><SPAN>"</SPAN><SPAN class="">:8</SPAN><SPAN>,"</SPAN><SPAN class="">device_id</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">XXX</SPAN><SPAN>","</SPAN><SPAN class="">environment</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">prod_walker</SPAN><SPAN>","</SPAN><SPAN class="">event_source</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">appliance</SPAN><SPAN>","</SPAN><SPAN class="">event_type</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">GENERIC</SPAN><SPAN>","</SPAN><SPAN class="">local_time</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">2025-02-20T00:47:48.124-06:00</SPAN><SPAN>",<BR />"</SPAN><SPAN class="">location</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>{"</SPAN><SPAN class="">city</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">XX</SPAN><SPAN>","</SPAN><SPAN class="">country</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">XX</SPAN><SPAN>","</SPAN><SPAN class="">latitude</SPAN><SPAN>"</SPAN><SPAN class="">:XXX</SPAN><SPAN>,"</SPAN><SPAN class="">longitude</SPAN><SPAN>"</SPAN><SPAN class="">:XXX</SPAN><SPAN>,"</SPAN><SPAN class="">state</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">XXX</SPAN><SPAN>"},<BR />"</SPAN><SPAN class="">log_level</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">info</SPAN><SPAN>","</SPAN><SPAN class="">message</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">martini::hardware_controller:</SPAN> <SPAN class="">GTS</SPAN> <SPAN class="">weight:</SPAN> <SPAN class="">17.05kg</SPAN><SPAN>, </SPAN><SPAN class="">tare</SPAN> <SPAN class="">weight:</SPAN> <SPAN class="">8.1kg</SPAN><SPAN>, </SPAN><SPAN class="">net</SPAN> <SPAN class="">weight:</SPAN> <SPAN class="">8.95kg</SPAN><SPAN>, </SPAN><SPAN class="">fill</SPAN> <SPAN class="">weight:</SPAN> <SPAN class="">6.8kg</SPAN><SPAN>, </SPAN><SPAN class="">percent:</SPAN> <SPAN class=""><STRONG>100%</STRONG>\u0000</SPAN><SPAN>",<BR />"</SPAN><SPAN class="">model_number</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">XXX</SPAN><SPAN>","</SPAN><SPAN class="">sequence</SPAN><SPAN>"</SPAN><SPAN class="">:403659</SPAN><SPAN>,"</SPAN><SPAN class="">serial</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class=""><SPAN class="">XXX</SPAN></SPAN><SPAN>","</SPAN><SPAN class="">software_version</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">2.3.0.276</SPAN><SPAN>","</SPAN><SPAN class="">ticks</SPAN><SPAN>"</SPAN><SPAN class="">:0</SPAN><SPAN>,"</SPAN><SPAN class="">timestamp</SPAN><SPAN>"</SPAN><SPAN class="">:1740034068</SPAN><SPAN>,"</SPAN><SPAN class="">timestamp_ms</SPAN><SPAN>"</SPAN><SPAN class="">:1740034068124}</SPAN></PRE><P>&nbsp;</P><P>I am trying to extract the bold value in the raw, Where is my rex messing up?</P> Mon, 24 Feb 2025 18:13:05 GMT https://community.splunk.com/t5/Splunk-Search/Rex-expression-built-with-field-extractor-not-working/m-p/712384#M240330 nkavouris 2025-02-24T18:13:05Z Re: Rex expression built with field extractor not working? https://community.splunk.com/t5/Splunk-Search/Rex-expression-built-with-field-extractor-not-working/m-p/712389#M240331 <P>The field extractor and <FONT face="courier new,courier">erex</FONT> commands tend to create overly complicated expressions.&nbsp; This one should work.</P><LI-CODE lang="markup">| rex field=message "percent: (?&lt;gts_percent&gt;\d+)"</LI-CODE><P>&nbsp;</P> Mon, 24 Feb 2025 18:54:10 GMT https://community.splunk.com/t5/Splunk-Search/Rex-expression-built-with-field-extractor-not-working/m-p/712389#M240331 richgalloway 2025-02-24T18:54:10Z Re: Rex expression built with field extractor not working? https://community.splunk.com/t5/Splunk-Search/Rex-expression-built-with-field-extractor-not-working/m-p/712394#M240332 <P>this worked like a charm!&nbsp;<BR />thank you!</P> Mon, 24 Feb 2025 19:30:18 GMT https://community.splunk.com/t5/Splunk-Search/Rex-expression-built-with-field-extractor-not-working/m-p/712394#M240332 nkavouris 2025-02-24T19:30:18Z